Rust: Add some missing path / file metadata models.

geoffw0 · geoffw0 · commit aca7877be23a · 2025-11-21T15:02:25.000Z
diff --git a/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml b/rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml
@@ -3,14 +3,27 @@ extensions:
       pack: codeql/rust-all
       extensible: sourceModel
     data:
+      - ["std::fs::exists", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
       - ["std::fs::read", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["std::fs::read_dir", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
       - ["std::fs::read_to_string", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
       - ["std::fs::read_link", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["std::fs::metadata", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["std::fs::symlink_metadata", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
       - ["<std::fs::DirEntry>::path", "ReturnValue", "file", "manual"]
       - ["<std::fs::DirEntry>::file_name", "ReturnValue", "file", "manual"]
       - ["<std::fs::File>::open", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
       - ["<std::fs::File>::open_buffered", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
       - ["<std::fs::OpenOptions>::open", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["<std::path::Path>::exists", "ReturnValue", "file", "manual"]
+      - ["<std::path::Path>::try_exists", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["<std::path::Path>::is_file", "ReturnValue", "file", "manual"]
+      - ["<std::path::Path>::is_dir", "ReturnValue", "file", "manual"]
+      - ["<std::path::Path>::is_symlink", "ReturnValue", "file", "manual"]
+      - ["<std::path::Path>::metadata", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["<std::path::Path>::symlink_metadata", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["<std::path::Path>::read_dir", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
+      - ["<std::path::Path>::read_link", "ReturnValue.Field[core::result::Result::Ok(0)]", "file", "manual"]
   - addsTo:
       pack: codeql/rust-all
       extensible: sinkModel
@@ -68,3 +81,12 @@ extensions:
       - ["<std::path::Path>::with_extension", "Argument[Self].Reference", "ReturnValue", "taint", "manual"]
       - ["<std::path::Path>::with_file_name", "Argument[Self].Reference", "ReturnValue", "taint", "manual"]
       - ["<std::path::Path>::with_file_name", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["<std::fs::Metadata>::accessed", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
+      - ["<std::fs::Metadata>::created", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
+      - ["<std::fs::Metadata>::file_type", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
+      - ["<std::fs::Metadata>::is_file", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
+      - ["<std::fs::Metadata>::is_dir", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
+      - ["<std::fs::Metadata>::is_symlink", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
+      - ["<std::fs::Metadata>::len", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
+      - ["<std::fs::Metadata>::modified", "Argument[self].Reference", "ReturnValue.Field[core::result::Result::Ok(0)]", "taint", "manual"]
+      - ["<std::fs::Metadata>::permissions", "Argument[self].Reference", "ReturnValue", "taint", "manual"]
diff --git a/rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected b/rust/ql/test/query-tests/security/CWE-295/DisabledCertificateCheck.expected
@@ -12,16 +12,24 @@
 | main.rs:83:32:83:37 | always | main.rs:74:15:74:18 | true | main.rs:83:32:83:37 | always | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 | main.rs:88:32:88:40 | sometimes | main.rs:75:22:75:25 | true | main.rs:88:32:88:40 | sometimes | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 | main.rs:93:32:93:47 | sometimes_global | main.rs:154:17:154:20 | true | main.rs:93:32:93:47 | sometimes_global | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
+| main.rs:109:36:109:37 | b1 | main.rs:107:17:107:31 | ...::exists | main.rs:109:36:109:37 | b1 | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 | main.rs:146:36:146:37 | b6 | main.rs:144:39:144:42 | true | main.rs:146:36:146:37 | b6 | Disabling TLS certificate validation can expose the application to man-in-the-middle attacks. |
 edges
 | main.rs:73:19:73:40 | ...: bool | main.rs:93:32:93:47 | sometimes_global | provenance |  |
 | main.rs:74:6:74:11 | always | main.rs:83:32:83:37 | always | provenance |  |
 | main.rs:74:15:74:18 | true | main.rs:74:6:74:11 | always | provenance |  |
 | main.rs:75:6:75:18 | mut sometimes | main.rs:88:32:88:40 | sometimes | provenance |  |
 | main.rs:75:22:75:25 | true | main.rs:75:6:75:18 | mut sometimes | provenance |  |
+| main.rs:107:6:107:7 | b1 | main.rs:109:36:109:37 | b1 | provenance |  |
+| main.rs:107:17:107:31 | ...::exists | main.rs:107:17:107:42 | ...::exists(...) [Ok] | provenance | Src:MaD:1  |
+| main.rs:107:17:107:42 | ...::exists(...) [Ok] | main.rs:107:17:107:51 | ... .unwrap() | provenance | MaD:2 |
+| main.rs:107:17:107:51 | ... .unwrap() | main.rs:107:6:107:7 | b1 | provenance |  |
 | main.rs:144:6:144:7 | b6 | main.rs:146:36:146:37 | b6 | provenance |  |
 | main.rs:144:39:144:42 | true | main.rs:144:6:144:7 | b6 | provenance |  |
 | main.rs:154:17:154:20 | true | main.rs:73:19:73:40 | ...: bool | provenance |  |
+models
+| 1 | Source: std::fs::exists; ReturnValue.Field[core::result::Result::Ok(0)]; file |
+| 2 | Summary: <core::result::Result>::unwrap; Argument[self].Field[core::result::Result::Ok(0)]; ReturnValue; value |
 nodes
 | main.rs:4:32:4:35 | true | semmle.label | true |
 | main.rs:9:36:9:39 | true | semmle.label | true |
@@ -41,6 +49,11 @@ nodes
 | main.rs:83:32:83:37 | always | semmle.label | always |
 | main.rs:88:32:88:40 | sometimes | semmle.label | sometimes |
 | main.rs:93:32:93:47 | sometimes_global | semmle.label | sometimes_global |
+| main.rs:107:6:107:7 | b1 | semmle.label | b1 |
+| main.rs:107:17:107:31 | ...::exists | semmle.label | ...::exists |
+| main.rs:107:17:107:42 | ...::exists(...) [Ok] | semmle.label | ...::exists(...) [Ok] |
+| main.rs:107:17:107:51 | ... .unwrap() | semmle.label | ... .unwrap() |
+| main.rs:109:36:109:37 | b1 | semmle.label | b1 |
 | main.rs:144:6:144:7 | b6 | semmle.label | b6 |
 | main.rs:144:39:144:42 | true | semmle.label | true |
 | main.rs:146:36:146:37 | b6 | semmle.label | b6 |
diff --git a/rust/ql/test/query-tests/security/CWE-295/main.rs b/rust/ql/test/query-tests/security/CWE-295/main.rs
@@ -104,9 +104,9 @@ fn test_threat_model_source() {
 	// hostname setting from `fs` functions returning `bool` directly
 	// (these are highly unnatural but serve to create simple tests)
 
-	let b1: bool = std::fs::exists("main.rs").unwrap();
+	let b1: bool = std::fs::exists("main.rs").unwrap(); // $ Source=exists
 	let _client = native_tls::TlsConnector::builder()
-		.danger_accept_invalid_hostnames(b1) // $ MISSING: Alert[rust/disabled-certificate-check]=fs
+		.danger_accept_invalid_hostnames(b1) // $ Alert[rust/disabled-certificate-check]=exists
 		.build()
 		.unwrap();
 
